Open source software security

Hidden Scans - Using Side Channels to Map Targets

Using idle scanning can reveal sensitive configuration information about targets via a side channel. Not only can this type of scan show services that might otherwise be invisible, it is also completely passive. This means that the target of the scan will never observe traffic from the actual source of the scans. Only the idle host will be aware of any contact with the scanning machine. This can allow attackers to perform reconnaissance to either perform a completely hidden scan, for instance by using an idle zombie in a third party organization making it extremely difficult to trace the origin of the scan, or to map trust relationships in an organization by using a zombie target within the target organization.

Creating a Darknet Sensor Database

A darknet is a portion of the internet for which no traffic should legitimately bound. This traditionally includes unallocated IP address space but can include traffic destined for ports on hosts that do not listen on those ports. The idea behind monitoring darknet traffic is that it is a good way to spot automated scans of your network. Scans usually traverse IP space in an ordered fashion, attempting to connect to ports and services based on addressability rather than availability. A good example of this type of behavior is a NMAP scan of an IP range.

Using ClamAV to Prevent Malware and Data Loss

Maximizing the use of existing resources and bundling capabilities is becoming an increasingly common trend in information security. Using the applications and data sources that you have to their fullest capabilities and trying to limit the number of applications deployed in support of an information security program streamlines processes, reduces complexity and overhead, lowers cost, and ensures maximum return on investment for existing solutions. This concept can be extended to many products, from desktop security suites to log management software.

Configuring IPFW Firewall on OS X

The latest versions of Mac OS X, being based on BSD style Unix, have a lot of powerful features that are legacy to many Unix operating systems. One is the ipfw firewall. OS X actually has two firewalls by default, an application firewall that blocks access to specific programs, and the ipfw firewall, which is a much lower level firewall that operates by inspecting inbound packets and allowing or denying them based on source IP, destination IP, port and protocol. This allows a much finer grain of control for remote access to an OS X computer.

Installing VMWare Workstation 6.5.3 on Fedora 12

The recent Fedora kernel upgrade to 2.6.32 again wreaked havoc on all my Linux installations. Every time a kernel upgrade comes out my VMWare Workstation breaks, and typically my TrueCrypt installation as well, or at the very least my nVidia drivers. Thankfully nothing but the VMWare was a major problem this time. I kept getting installation failures on VMWare, specifically with kernel module configuration - the vmnet module to be precise. Finally I found the answers I needed at http://jbmoore61.blogspot.com/2010/02/fixing-vmware-workstation-652-and-linux.html.

Theming Views in Drupal 6

Views can be really powerful tools for creating lists or aggregations of node content already on your site. There are several powerful output formats for views including lists and sortable tables. However, if you want to move beyond these displays or add additional HTML or functionality to your view you may choose to apply a theme to it. In the same way that you can theme page, block, and node content you can also theme your views.

Drupal security process evolution

The Register just published an article on recent changes to the Drupal security team's stance to release candidate (RC) status modules. The article notes that Drupal security has clarified their support of modules by specifically removing support for modules RC1 and higher. This is an important change because it means that many more Drupal modules are not supported. Full disclosure: I was quoted for The Register article. I am not a member of the Drupal security team.

Customizing Drupal Content Type Input Forms

I've recently been struggling to alter a form in Drupal associated with the creation of a new node for a specific content type. I wanted something that wasn't as heavy as a module, and I couldn't seem to find a solution using views.

Getting Postfix to Relay Through Gmail

I have a home server running Fedora that I use as a media host. It's connected to my home LAN and is mainly used for playing songs from my MP3 collection or streaming music from Pandora. It's not a complex machine, but I like to be able to get reports from it in case something goes wrong. I have a Gmail account that I use to collect these sort of reports. Unfortunately my ISP blocks outbound port 25 connections so I can't use a traditional setup to e-mail myself using a local mail transport like Postfix (or Sendmail for that matter).

Chrome Clobbers Local Proxy

In today's age of open wifi hotspots and untrusted guest networks it is nice to have a way to protect your communications from snooping eyes. Luckily, it is quite easy to jump on any network connection and still maintain security (even if the connection is over an untrusted or unencrypted network). The solution is to use an Secure Shell (SSH) server and tunnel all of your traffic over SSH. This allows you to connect to any network, then send all your communications over an encrypted connection to an endpoint on a trusted network and then on to your destination.

Identifying Malicious Scripts by User Agent

I noticed an interesting phenomena today while reviewing my web server logs. I track requests to URL's that include patterns indicative of directory traversal attacks. The most common of these is an attempt to include the file "/proc/self/environ" which can be used for a remote code execution attack (as described in When is LFI Really ACE?). Most of these hits are probably automated scripts that are trolling around the internet, looking for servers vulnerable to specific exploits.

VMWare Workstation on Linux Kernel 2.6.40

I was having some trouble getting VMWare 7.1.4 running on my Fedora 15 machines running x86_64 kernel 2.6.40 until I found the patch described at http://linux-knowledgebase.com/cms/common/pdf.php?article_id=186 that points to the patch at http://linux-knowledgebase.com/userFiles/files/vmware2_6_39patchv3.tar.bz2. Installing the patch is a breeze with the instructions provided. Just unzip the patch with 'tar xvjf vmware2_6_39patchv3.tar.bz2', then run the patch using './patch-modules_2.6.39.sh'. Once that's done you can upgrade VMWare. I usually do this using: $ sudo vmplayer

Removing PHP Inputs from Drupal

The Drupal content management system allows access to features that enable users to write PHP directly through the Drupal administrative interface. This ability is a security risk because it places Drupal in the role of adjudicating access to the web server process. The ability to write PHP translates directly into access to web server control. In order to harden Drupal installations it is advisable to remove the ability to craft PHP via the web interface. Removing PHP input greatly reduces the threat that an attacker can use the Drupal system to take over the host web server.

Google Safe Browsing API

Google has put together a really cool API that allows developers to query their database of suspected malware and phishing sites. It's the same API that powers the Firefox phishing and malware protection and that Twitter now also uses. The API actually only exposes the MD5 hashes of suspected URLs which is nice. Not only is it consistent in value (MD5 hashes are always 32 hexidecimal characters) but it eliminates the hassle of dealing with all sorts of URLs and make search responsiveness a lot faster. Because you need a Google developer key there might be some protection against malware authors being alerted that their hosts have been reported, but given the proliferation of Google accounts I doubt this will be much of a hurdle.

Installing PHP 5.3 on CentOS 5.3

CentOS is a wonderful, stable, enterprise Linux distribution. Because it follows an enterprise model, however, the latest and greatest packages are often not available for installation from RPM repositories. In order to deploy binaries such as the new PHP 5.3 you'll need to compile them from source. Luckily this isn't terribly hard, but it does take some trial and error. I've tried to enumerate the process on a CentOS 5.3 host to take some of the pain out of it.

Installing TrueCrypt 6.2 on CentOS 5.3

TrueCrypt (http://www.truecrypt.org) is a great open source encryption package. Unfortunately installing TrueCrypt on Linux often involves building it from source. This can be quite a hassle due to the many dependencies. I've written up a short list of instructions for successfully installing TrueCrypt 6.2 on CentOS 5.3 (http://www.centos.org) to hopefully save others some of the time and hassle I had to go through to figure this out.

OSSEC Intrustion Detection System

OSSEC is an open source host based intrusion detection system (IDS). An IDS is one of the most important tools available to a security administrator. As a host based IDS (or HIDS), OSSEC is uniquely advantaged to monitor activity from the server side. Although a network based IDS may be able to spot malicious traffic and identify attacks based on traffic, a HIDS can look directly at log files and system behavior to spot oddities such as successful brute force attacks or evidence of rootkit installation.

Writing OSSEC Custom Rules and Decoders

OSSEC (http://www.ossec.net) is an open source host based intrusion detection system (HIDS). OSSEC can be used to monitor your local files and logs to check for intrusions, alert you of rootkit installation and do file integrity checking. OSSEC is a wonderful tool because it is highly customizable. By default OSSEC monitors many of the programs commonly installed on a machine, but it's real power comes from the ability of system administrators to customize OSSEC. By writing custom rules and decoders, you can allow OSSEC to parse through non-standard log files and generate alerts based on custom criteria. This allows OSSEC to monitor custom applications and provide intrusion detection services that might otherwise not be available, or would have to be developed on a per-application basis.

Creating Drupal External Authentication

Recently I recommended that my employer, the University of Pennsylvania School of Arts and Sciences, begin pushing Drupal as a CMS solution for departmental websites. There were a lot of factors to consider when evaluating the various CMS solutions available, especially for an institution of higher education. We took a look at a number of CMS solutions and based our evaluation on a wide breadth of criteria. Ultimately we scored each of the CMS solutions based on a common set of benchmarks. Typo3 was actually our first choice for deployment. Typo3 has a strongly tiered, but central deployment that allows you to set up test, staging and production servers but also maintain a single central deployment from which a multitude of sites can be run.

Modding RoundCube to Add Contact Information

Roundcube is a wonderful dynamic web based e-mail client. It serves pretty much all of my needs, except a few. Recently Ive been working on taking advantage of the fact that its open source software to add some new features that I feel are critical for me. One such feature was to expand the built in contacts function. I like to keep track of additional information, such as phone numbers, addresses, etc. in my online contact directory. Altering RoundCube to facilitate this functionality was actually quite simple and Ive outlined the steps below to add a Phone field to a contact record, but you can repeat the process to add pretty much any field youd like.

Adding Shared Contacts to RoundCube Email

After using Roundcube for some time I thought it would be neat to expand the Addressbook functionality to include things like actual physical addresses and phone numbers to each contact record. Additionally, since Roundcube is a hosted email solution, I thought it would be nice to be able to share contacts amongst other users on the same system. By adding a flag to each record, users can share their contacts amongst one another. This is nice because it cuts down on duplicate records and allows people to look up contact information with less work.

To modify RoundCube Email to allow for expanded contacts you first need to create new fields in the database. Here are the MySQL commands, but I�m sure you can replicate them through another interface:

Securing Drupal 7

As Drupal 7 becomes more popular it will also become a larger target for attackers. It is important to take steps to keep your Drupal 7 installation secure. The following are a set of guidelines that can be used to ensure the stability and security of your Drupal 7 installation. Some of the suggestions might be considered a little paranoid, but it's always better to be safe than sorry, and layers of defense will help defeat determined attackers.

The arrival of Drupal 7 has generated a lot of excitement.

Converting a Decimal Digit to IEEE 754 Binary Floating Point

IEEE 754 Binary Floating Point is a 32-bit representation (for single precision, 64 bits are used for double precision) for floating point numerals. The 32-bit representation consists of three parts. The first bit is used to indicate if the number is positive or negative. The next 8 bits are used to indicate the exponent of the number, and the last 23 bits are used for the fraction.

Using the Google Safe Browsing API from PHP

Google's new Safe Browsing API is a neat service that allows you to poll the MD5 hashes of known malware and phishing sites. This is especially handy because you can check URLs submitted to your site or service by internet users to make sure that they don't include malicious links. The API is relatively well documented at http://code.google.com/apis/safebrowsing/developers_guide.html so the purpose of this tutorial is mainly focused on how you can utilize PHP to implement the API. If you use Firefox you are probably familiar with the malware or phishing warning screen that shows up when you visit suspicious sites. This feature implements the Safe Browsing API.

Post Compromise Shell Shoveling

Shoveling a shell is a process whereby an attacker can gain interactive access to a compromised host. What distinguishes a shoveled shell is that the interactive shell runs on the attacker's machine, rather than the target. This allows an attacker to bypass firewall rules on a target, as the target sends a request to the attackers machine, and presents the shell there. The attacker simply uses an interactive connection on their local host to send commands to the remote host and receive the output locally.

Building an MD5 Rainbow Table

The MD5 hashing algorithm is a common way to store user passwords in many PHP based applications. This mechanism effectively obscures the password so that if the password store is compromised, user accounts are not necessarily exposed. This mechanism also obscures passwords from site administrators, protecting the privacy of users. However, an attacker can build a table of MD5 values for dictionary or other values and simply look up stolen MD5 values in this "rainbow table."

Protecting Your LAMP Site with a Robots.txt Honeypot

One standard form of information discovery and reconnaissance used by malicious attackers is to scan a target website and search for robots.txt files. The robots.txt file is designed to provide instructions to spiders or web crawlers about a site's structure and more importantly to specify which pages and directories the spider should not crawl. Often these files are used to keep a spider from crawling sensitive areas of a website, such as administrative interfaces, so that search engines don't cache the existence of such pages and functionality. It is precisely for this reason that a malicious attacker will look in a robots.txt file - they often provide roadmaps to sensitive data and administrative interfaces.

Hardening PHP from php.ini

PHP's default configuration file, php.ini (usually found in /etc/php.ini on most Linux systems) contains a host of functionality that can be used to help secure your web applications. Unfortunately many PHP users and administrators are unfamiliar with the various options that are available with php.ini and leave the file in it's stock configuration. By utilizing a few of the security related options in the configuration file you can greatly strengthen the security posture of web applications running on your server.

Writing Safer Database Queries from PHP

Database interaction is a critical component of most web based applications and unfortunately it can be the point at which many security vulnerabilities are introduced. Both PHP and MySQL include many features that developers can use to create safer web applications. Learning to use these features lowers the possibility of applications being exploited through vectors like SQL injection attacks.

Creating a Robots.txt Honeypot

One common method of attacker reconnaissance against a website is to inspect the robots.txt file. Normally this file is used to guide spiders and automated crawlers, but it can give away essential information about the location of administrative interfaces and other sensitive details. By salting the robots.txt file with fake entries, and then configuring the server to blacklist clients that call these fake entries, a server administrator can be alerted to probes of the robots.txt contents and attackers will be significantly slowed in their recon efforts.

Using Paros for Web Application Auditing and Debugging

Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging. Although Paros is well known in the web application security circles, it is less known in general web development circles. In this article I'll go over some of the great uses from Paros that cross over both realms. Paros' proxy feature is invaluable for inspecting traffic as it comes to and from your browser. This allows you to investigate things like how cookies are set, redirects being issued to a browser, and queries sent from the browser to the server. While Paros includes some automated scanning tools, these are rather weak and Paros really shows its strength in the hands of a skilled penetration tester who knows what to look for.

Remote C Development Using Eclipse

One of the major challenges to most beginning C programmers is the lack of a good, open source IDE. C programming is daunting enough for most people, and having to utilized Unix editors like Vi or Emacs doesn't make C any more approachable. GNU/Linux is an ideal environment for learning C because of the easy availability of the powerful GCC and GDB tools.

Protecting Your Data During Computer Disposal

There often comes a time when you wish to get rid of older computer hardware. Sometimes you're getting a new computer, sometimes you're just buying a new hard drive, but whatever the reason, you should stop and pause before simply tossing your old hard drive or selling your computer online. Depending on your usage habits your hard drive could contain lots of sensitive personal and financial information. You should take steps to destroy that data before letting anyone else get a hold of your hard drive.

Installing Nikto on Windows

Nikto is a fast, extensible, free open source web scanner written in Perl. Nikto is great for running automated scans of web servers and application. Because Nikto relies on OpenSSL it is most easily installed and run on a Linux platform. The following tutorial will show you the many convoluted steps needed to install Nikto on Windows XP.

4 Simple Tips for Securing OpenSSH

Securing an SSH server is a simple process that many administrators overlook. The following are four simple steps you can take to help lock down your SSH server. Given the widespread nature of SSH brute force attacks it is well worth the effort to enforce some extra restrictions on your SSH server. Most of the suggestions outlined below rely on configuration changes that can be implemented in your sshd_config file. Note there are two separate configuration files, ssh_config, and sshd_config on most installations. Be sure to edit the sshd_config file (the d is for daemon, or the SSH service).

Installing Virtual Ubuntu on Windows

Using virtualization you can install Linux on your Windows host operating system without having to worry about dual booting or reconfiguring your hard drive.

Quick XML Stripping Script

Just a quick Perl script that I wrote out to strip elements out of an XML file based on the element property values. Handy when you've got huge XML files that you need to edit without walking the XML tree.

Rebuilding My URPMI Database

URPMI is a powerful package management utility for Mandriva Linux (formerly Mandrake). Using urpmi you can install and update packages to keep up with security patches and user requests. It is important to keep your urpmi database of sources up to date so you can install the latest patches and versions. This quick article explains how I rebuilt my urpmi database after completely ruining several config files.

Sync your Email with Perl and JPilot

How to get your email off a POP3 server and into JPilot so you can HotSync it over to your Palm using a Perl script. Note that I'm no Perl guru, so the script is effective, but not very elegant :)

Backing Up and Restoring MySQL Databases

If you've used MySQL for any length of time you've run into situations where you need to back up and restore databases. If you haven't thought about backups, now is the time to do it! You should regularly back up your important data to removable media (CD-ROM, Zip drive, floppy, etc.) so if your computer crashes you can get your data back. MySQL backup is no different. You can actually back up your data quite easily using MySQL. If you want to be really raw about it you can simply copy off all the files in /var/lib/mysql. If you check that directory it will show you all the files your MySQL database is using. This method is clumsy at best, however, and restoring data is a real problem if you have to rebuild a database. Your best option is actually mysqldump. This quick program will allow you to backup and restore your databases with ease and confidence.

VNC Computing with Linux

A short review of installing and running VNC, or Virtual Network Computing, on Linux including a brief review of functionality and customization.

Fun with Web Bugs

Just a quick little program that allows you to fire off raw commands to remote SMTP servers and facilitates composition of HTML email.

PGP on Windows Tutorial

How to get started using PGP - Pretty Good Privacy. This encryption software lets you send and recieve secure email, encrypt local files on your system, and decrypt PGP messages from other people.

Designing a Data Driven Website - Part II

Data modeling, building a solid foundation for your data driven site. By carefully considering your content and building a strong data model you can build a robust content display and management system. Careful attention to detail is critical at these early planning stages.

Using Crontab

Crontab is an incredibly useful function that allows users to schedule tasks in the same way as the system does with cron. Each user has their own crontab that they can maintain and edit.